The U.S. Department of Justice is quietly shopping around the explosive idea of requiring Internet service providers to retain records of their customers' online activities.

Data retention rules could permit police to obtain records of e-mail chatter, Web browsing or chat-room activity months after Internet providers ordinarily would have deleted the logs--that is, if logs were ever kept in the first place. No U.S. law currently mandates that such logs be kept.

In theory, at least, data retention could permit successful criminal and terrorism prosecutions that otherwise would have failed because of insufficient evidence. But privacy worries and questions about the practicality of assembling massive databases of customer behavior have caused a similar proposal to stall in Europe and could engender stiff opposition domestically.

News.context

What's new:
The U.S. Department of Justice is mulling data retention rules that could permit police to obtain records of e-mail, browsing or chat-room activity months after ISPs ordinarily would have deleted the logs--if they were ever kept in the first place.

Bottom line: Data retention could aid criminal and terrorism prosecutions, but privacy worries and questions about the practicality of assembling massive databases of customer behavior could engender stiff opposition to the proposal.

In Europe, the Council of Justice and Home Affairs ministers say logs must be kept for between one and three years. One U.S. industry representative, who spoke on condition of anonymity, said the Justice Department is interested in at least a two-month requirement.

Justice Department officials endorsed the concept at a private meeting with Internet service providers and the National Center for Missing and Exploited Children, according to interviews with multiple people who were present. The meeting took place on April 27 at the Holiday Inn Select in Alexandria, Va.

"It was raised not once but several times in the meeting, very emphatically," said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies.
"We were told, 'You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn.'"

McClure said that while the Justice Department representatives argued that Internet service providers should cooperate voluntarily, they also raised the "possibility that we should create by law a standard period of data retention." McClure added that "my sense was that this is something that they've been working on for a long time."

This represents an abrupt shift in the Justice Department's long-held position that data retention is unnecessary and imposes an unacceptable burden on Internet providers. In 2001, the Bush administration
expressed "serious reservations about broad mandatory data retention regimes."

The current proposal appears to originate with the Justice Department's
Child Exploitation and Obscenity Section, which enforces federal child pornography laws. But once mandated by law, the logs likely would be mined during terrorism, copyright infringement and even routine criminal investigations. (The Justice Department did not respond to a request for comment on Wednesday.)

"Preservation" vs. "Retention"
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional
Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

"We were told, 'You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn.'"

--Dave McClure, president, U.S. Internet Industry Association

Child protection advocates say that this process can lead police to dead ends if they don't move quickly enough and log files are discarded automatically. Also, many Internet service providers don't record information about instant-messaging conversations or Web sites visited--data that would prove vital to an investigation.

"Law enforcement agencies are often having 20 reports referred to them a week by the National Center," said Michelle Collins, director of the exploited child unit for the National Center for Missing and Exploited Children. "By the time legal process is drafted, it could be 10, 15, 20 days. They're completely dependent on information from the ISPs to trace back an individual offender."

Collins, who participated in the April meeting, said that she had not reached a conclusion about how long log files should be retained. "There are so many various business models...I don't know that there's going to be a clear-cut answer to what would be the optimum amount of time for a company to maintain information," she said.

McClure, from the U.S. Internet Industry Association, said he counter-proposed the idea of police agencies establishing their own

About the author

Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio